diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix
index 1413ed4..d9a257a 100644
--- a/hosts/architect/prosody.nix
+++ b/hosts/architect/prosody.nix
@@ -7,17 +7,20 @@ let
   network = import ./network.nix;
 in
 {
+  architect.firewall = {
+    openTCP = [ 5222 5269 ];
+  };
+
   services = {
     prosody = {
       enable = true;
-      virtualHosts = {
-        "${domain}" = {
-          domain = domain;
-          enabled = true;
-          ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
-          ssl.cert =
-            "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
-        };
+      virtualHosts.${domain} = {
+        inherit domain;
+
+        enabled = true;
+        ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+        ssl.cert =
+          "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
       };
 
       muc = [{ domain = conference_domain; }];
@@ -27,11 +30,16 @@ in
       #httpInterfaces = [ "wg0" ];
       #httpsInterfaces = [ "wg0" ];
     };
-  };
 
-  services.nginx.virtualHosts."${domain}".enableACME = true;
-  #services.nginx.virtualHosts."${conference_domain}".enableACME = true;
-  #services.nginx.virtualHosts."${upload_domain}".enableACME = true;
+    nginx.virtualHosts = {
+      "${domain}" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+      # "${conference_domain}".enableACME = true;
+      # "${upload_domain}".enableACME = true;
+    };
+  };
 
   networking.extraHosts = ''
     ${network.architect-lan} ${domain}